-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:154-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : apache Date : October 1, 2012 Affected: 2011. _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in apache (ASF HTTPD): Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory (CVE-2012-0883). Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled (CVE-2012-2687). The updated packages have been upgraded to the latest 2.2.23 version which is not vulnerable to these issues. Update: Packages for Mandriva Linux 2011 is also being provided. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687 http://httpd.apache.org/security/vulnerabilities_22.html http://www.apache.org/dist/httpd/CHANGES_2.2.23 _______________________________________________________________________ Updated Packages: Mandriva Linux 2011: 304de24601ba6d0511bb81b874a0f233 2011/i586/apache-base-2.2.23-0.1-mdv2011.0.i586.rpm 2cb8260077a6397789fbd5d4a4d085eb 2011/i586/apache-conf-2.2.23-0.1-mdv2011.0.i586.rpm 30b35a2b7e38d194a2616aabf282fc8e 2011/i586/apache-devel-2.2.23-0.1-mdv2011.0.i586.rpm 808b441d5f6a4dfe677027f052be5b2e 2011/i586/apache-doc-2.2.23-0.1-mdv2011.0.noarch.rpm 48e1b89096e022e2370846ee6be23cb0 2011/i586/apache-htcacheclean-2.2.23-0.1-mdv2011.0.i586.rpm 69e8ff977665c5ffcaa56a633a9c075d 2011/i586/apache-mod_authn_dbd-2.2.23-0.1-mdv2011.0.i586.rpm cef83ce377d853787f157372d174e43a 2011/i586/apache-mod_cache-2.2.23-0.1-mdv2011.0.i586.rpm e727d7356474d2899d971ded9ead528a 2011/i586/apache-mod_dav-2.2.23-0.1-mdv2011.0.i586.rpm a6d4a2d3bde1c22f9885e45674acb859 2011/i586/apache-mod_dbd-2.2.23-0.1-mdv2011.0.i586.rpm e95a0e806ed2714f58c4931f923dd9ff 2011/i586/apache-mod_deflate-2.2.23-0.1-mdv2011.0.i586.rpm eea3f9df618d84f4d7718fa7f7ed7fc2 2011/i586/apache-mod_disk_cache-2.2.23-0.1-mdv2011.0.i586.rpm f4e5b517609491cff78e787478701c2d 2011/i586/apache-mod_file_cache-2.2.23-0.1-mdv2011.0.i586.rpm e6b6bf3657df8d57f714b376f0a46c17 2011/i586/apache-mod_ldap-2.2.23-0.1-mdv2011.0.i586.rpm f08c6df85eee5fb376495a1962fe3b70 2011/i586/apache-mod_mem_cache-2.2.23-0.1-mdv2011.0.i586.rpm 8e0e8200b769acf3c5e4bbe7726fd915 2011/i586/apache-mod_proxy-2.2.23-0.1-mdv2011.0.i586.rpm 6c999383b58c6ee96282386b4fb7d9ea 2011/i586/apache-mod_proxy_ajp-2.2.23-0.1-mdv2011.0.i586.rpm 20b0d2479343f49409b5e31e9338f4dc 2011/i586/apache-mod_proxy_scgi-2.2.23-0.1-mdv2011.0.i586.rpm 1e51299c37aa0cbd03a65a260d12ddeb 2011/i586/apache-mod_reqtimeout-2.2.23-0.1-mdv2011.0.i586.rpm 0ddbed217d6677478b0a2a01732ff491 2011/i586/apache-mod_ssl-2.2.23-0.1-mdv2011.0.i586.rpm 0a14fbf39eab16eb6f306545149d1d08 2011/i586/apache-mod_suexec-2.2.23-0.1-mdv2011.0.i586.rpm 58a903513f5debd76f3af90df3cb81f2 2011/i586/apache-modules-2.2.23-0.1-mdv2011.0.i586.rpm 92dc4453fc1412585be0a2d6910ad1bb 2011/i586/apache-mod_userdir-2.2.23-0.1-mdv2011.0.i586.rpm a6fcd50c146c04c53adfd63cdeff0886 2011/i586/apache-mpm-event-2.2.23-0.1-mdv2011.0.i586.rpm 2789b0dff916fbc432705402ccaf48b0 2011/i586/apache-mpm-itk-2.2.23-0.1-mdv2011.0.i586.rpm 1373ec52e55560feab9bbc4841d121c7 2011/i586/apache-mpm-peruser-2.2.23-0.1-mdv2011.0.i586.rpm 02b03a8c84896f04ce7c4ee098db88f1 2011/i586/apache-mpm-prefork-2.2.23-0.1-mdv2011.0.i586.rpm 9fff7197d3b44a8dc4c328ae42b0c78d 2011/i586/apache-mpm-worker-2.2.23-0.1-mdv2011.0.i586.rpm b377ef4867bb4bb4740b6c454c673ae9 2011/i586/apache-source-2.2.23-0.1-mdv2011.0.i586.rpm ff8b62d886256d35b4b48b599dde8b42 2011/SRPMS/apache-2.2.23-0.1.src.rpm b293c41bc67cd64e55d4f76cbc01e5fa 2011/SRPMS/apache-conf-2.2.23-0.1.src.rpm 7b26aff710ef4cf8761ee0f2d56335de 2011/SRPMS/apache-mod_suexec-2.2.23-0.1.src.rpm Mandriva Linux 2011/X86_64: c4985b28e7ec9150a212a50b83acf971 2011/x86_64/apache-base-2.2.23-0.1-mdv2011.0.x86_64.rpm 1a47380b5c2408302ae45e53c57e3dd7 2011/x86_64/apache-conf-2.2.23-0.1-mdv2011.0.x86_64.rpm 1ddc2098bd25562f20fb5dc13f15bbb4 2011/x86_64/apache-devel-2.2.23-0.1-mdv2011.0.x86_64.rpm 98ebe1c72a3f4393089f4dff74478aef 2011/x86_64/apache-doc-2.2.23-0.1-mdv2011.0.noarch.rpm cdd1a070b46dae87bcc56c9ffdf787e1 2011/x86_64/apache-htcacheclean-2.2.23-0.1-mdv2011.0.x86_64.rpm b63b8c6c86a1d12c0d7d975965c68520 2011/x86_64/apache-mod_authn_dbd-2.2.23-0.1-mdv2011.0.x86_64.rpm f32eda71a0d502ed40c57160781a4ae7 2011/x86_64/apache-mod_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm 83e739d64bbb194125a94ebd0f48e3dd 2011/x86_64/apache-mod_dav-2.2.23-0.1-mdv2011.0.x86_64.rpm 480f7d2b5871cf135c94693e51e0304f 2011/x86_64/apache-mod_dbd-2.2.23-0.1-mdv2011.0.x86_64.rpm 0bb1ce70ccc8faf9446ce4fb876463ac 2011/x86_64/apache-mod_deflate-2.2.23-0.1-mdv2011.0.x86_64.rpm b5a054dd23f63b2853e3aedf0feeb0be 2011/x86_64/apache-mod_disk_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm 17d3e7b2f6706d732d141f32a28b0bcc 2011/x86_64/apache-mod_file_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm afbd5756292b77c910191208530f11f9 2011/x86_64/apache-mod_ldap-2.2.23-0.1-mdv2011.0.x86_64.rpm 554905b1d3d606fa6d4d27a7fb24f5ab 2011/x86_64/apache-mod_mem_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm a8052b80204773827087adf071276075 2011/x86_64/apache-mod_proxy-2.2.23-0.1-mdv2011.0.x86_64.rpm f5cdac9841f48f9de11cb70477924fd9 2011/x86_64/apache-mod_proxy_ajp-2.2.23-0.1-mdv2011.0.x86_64.rpm 54f266ab995d16892c9da04e2fe7be7d 2011/x86_64/apache-mod_proxy_scgi-2.2.23-0.1-mdv2011.0.x86_64.rpm 0cbfba26f9b4afdb27bb47f09d4544d1 2011/x86_64/apache-mod_reqtimeout-2.2.23-0.1-mdv2011.0.x86_64.rpm 1cada2498b31e1e218b11bce3f971033 2011/x86_64/apache-mod_ssl-2.2.23-0.1-mdv2011.0.x86_64.rpm dbb6bbac5f46b0e38b45aa38cd5c264b 2011/x86_64/apache-mod_suexec-2.2.23-0.1-mdv2011.0.x86_64.rpm 2217d6023cedd9002c9882cc6d420ab9 2011/x86_64/apache-modules-2.2.23-0.1-mdv2011.0.x86_64.rpm 6e808ea12619204f2df8e1a2f9297652 2011/x86_64/apache-mod_userdir-2.2.23-0.1-mdv2011.0.x86_64.rpm ef4f018d2c2d366ae4fefd105a9dc281 2011/x86_64/apache-mpm-event-2.2.23-0.1-mdv2011.0.x86_64.rpm 4f9347c3375eb9f36207731d11687d15 2011/x86_64/apache-mpm-itk-2.2.23-0.1-mdv2011.0.x86_64.rpm 55e80fe4664781176c1a10b18c948cc9 2011/x86_64/apache-mpm-peruser-2.2.23-0.1-mdv2011.0.x86_64.rpm d1eb3c2f9348686c2dd461389dd28b9e 2011/x86_64/apache-mpm-prefork-2.2.23-0.1-mdv2011.0.x86_64.rpm f95c3d4b86d7014b8df2ea025551eadf 2011/x86_64/apache-mpm-worker-2.2.23-0.1-mdv2011.0.x86_64.rpm 304e6bcde281da5142f612886f9ef182 2011/x86_64/apache-source-2.2.23-0.1-mdv2011.0.x86_64.rpm ff8b62d886256d35b4b48b599dde8b42 2011/SRPMS/apache-2.2.23-0.1.src.rpm b293c41bc67cd64e55d4f76cbc01e5fa 2011/SRPMS/apache-conf-2.2.23-0.1.src.rpm 7b26aff710ef4cf8761ee0f2d56335de 2011/SRPMS/apache-mod_suexec-2.2.23-0.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQaa9/mqjQ0CJFipgRAhruAJ9EC4FWiuzvbIXRyxeJEa6ifXWfngCfdzew 7eKtlYj6mMOMjJJ0oekKwnQ= =t10D -----END PGP SIGNATURE-----
